1+ ##
2+ # Security Configuration
3+ ##
4+
5+ # This configuration follows security best practices from:
16#
2- # Disable access to the entire file system except for the directories that
3- # are explicitly allowed later.
7+ # H5BP Server Configs (Apache)
8+ # https://github.com/h5bp/server-configs-apache
49#
5- # This currently breaks the configurations that come with some web application
6- # Debian packages.
10+ # OWASP Secure Headers Project
11+ # https://owasp.org/www-project-secure-headers/
712#
8- #<Directory />
9- # AllowOverride None
10- # Require all denied
11- #</Directory>
12-
13+ # RFC 8615 - Well-Known URIs
14+ # https://www.rfc-editor.org/rfc/rfc8615
15+ #
16+ # ##############################################################################
1317
14- # Changing the following options will not really affect the security of the
15- # server, but might make attacks slightly more difficult in some cases.
18+ # ------------------------------------------------------------------------------
19+ # | Server Software Information |
20+ # ------------------------------------------------------------------------------
1621
17- #
18- # ServerTokens
19- # This directive configures what you return as the Server HTTP response
20- # Header. The default is 'Full' which sends information about the OS-Type
21- # and compiled in modules.
22- # Set to one of: Full | OS | Minimal | Minor | Major | Prod
23- # where Full conveys the most information, and Prod the least.
24- #ServerTokens Minimal
25- # ServerTokens OS
26- # #ServerTokens Full
22+ # Minimize information sent about the server
23+ # https://httpd.apache.org/docs/current/mod/core.html#servertokens
2724ServerTokens Prod
2825
29- #
30- # Optionally add a line containing the server version and virtual host
31- # name to server-generated pages (internal error documents, FTP directory
32- # listings, mod_status and mod_info output etc., but not CGI generated
33- # documents or custom error documents).
34- # Set to "EMail" to also include a mailto: link to the ServerAdmin.
35- # Set to one of: On | Off | EMail
26+ # Disable server signature on error pages
27+ # https://httpd.apache.org/docs/current/mod/core.html#serversignature
3628ServerSignature Off
37- # ServerSignature On
3829
39- #
40- # Allow TRACE method
41- #
42- # Set to "extended" to also reflect the request body (only for testing and
43- # diagnostic purposes).
44- #
45- # Set to one of: On | Off | extended
30+ # Disable TRACE HTTP method to prevent XST attacks
31+ # https://owasp.org/www-community/attacks/Cross_Site_Tracing
4632TraceEnable Off
47- #TraceEnable On
4833
49- #
50- # Forbid access to version control directories
51- #
52- # If you use version control systems in your document root, you should
53- # probably deny access to their directories. For example, for subversion:
54- #
55- <DirectoryMatch "/\.git">
56- Require all denied
34+ # ------------------------------------------------------------------------------
35+ # | Security Headers |
36+ # ------------------------------------------------------------------------------
37+
38+ # Prevent clickjacking attacks by disabling iframe embedding
39+ # https://owasp.org/www-project-secure-headers/#x-frame-options
40+ Header always set X-Frame-Options "SAMEORIGIN"
41+
42+ # Prevent MIME type sniffing attacks
43+ # https://owasp.org/www-project-secure-headers/#x-content-type-options
44+ Header always set X-Content-Type-Options "nosniff"
45+
46+ # Control referrer information sent with requests
47+ # https://owasp.org/www-project-secure-headers/#referrer-policy
48+ Header always set Referrer-Policy "strict-origin-when-cross-origin"
49+
50+ # Enable HTTP Strict Transport Security (HSTS)
51+ # https://owasp.org/www-project-secure-headers/#strict-transport-security
52+ Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
53+
54+ # ------------------------------------------------------------------------------
55+ # | File Access Restrictions |
56+ # ------------------------------------------------------------------------------
57+
58+ # Block access to all hidden files and directories (dotfiles)
59+ # EXCEPT for the "/.well-known/" directory which is required by RFC 8615
60+ # for ACME challenges, security.txt, and other standardized endpoints.
61+ # https://www.rfc-editor.org/rfc/rfc8615
62+ # https://github.com/h5bp/server-configs-apache
63+ <DirectoryMatch "/\.(?!well-known/)">
64+ Require all denied
5765</DirectoryMatch>
5866
59- # Prevent Apache from serving Gitlab files
60- <FilesMatch "\.gitlab-ci.yml$">
61- Require all denied
67+ # Block access to files that may expose sensitive information
68+ # Based on H5BP server configs: https://github.com/h5bp/server-configs-apache
69+ <FilesMatch "(^#.*#|\.(bak|conf|config|dist|inc|ini|log|sh|sql|sw[op])|~)$">
70+ Require all denied
6271</FilesMatch>
6372
6473# Disable XML-RPC on all wordpress sites
6574<Files xmlrpc.php>
6675 Require all denied
6776# allow from xxx.xxx.xxx.xxx
68- </Files>
69-
70- #
71- # Setting this header will prevent MSIE from interpreting files as something
72- # else than declared by the content type in the HTTP headers.
73- # Requires mod_headers to be enabled.
74- #
75- Header always set X-Content-Type-Options: "nosniff"
76-
77- #
78- # Setting this header will prevent other sites from embedding pages from this
79- # site as frames. This defends against clickjacking attacks.
80- # Requires mod_headers to be enabled.
81- #
82- Header always set X-Frame-Options: "sameorigin"
83-
84- #
85- # Referrer policy
86- #
87- Header always set Referrer-Policy "no-referrer-when-downgrade"
88-
89- #
90- # Content Security Policy
91- # UPDATE - September 2020: Commenting this out until we grasp better security requirements
92- #
93- #Header always set Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'"
94-
95- #
96- # Strict-Transport-Security Policy (set HSTS)
97- #
98- Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
77+ </Files>
0 commit comments